Closed millaguie closed 1 year ago
Thanks for the suggestion. Could you please explain what the problem is being fixed, what environment the problem is visible in and how the change fixes that problem?
Thanks for the suggestion. Could you please explain what the problem is being fixed, what environment the problem is visible in and how the change fixes that problem?
sorry I just added a description
Hi,
Can you please test with frame-src 'self' https://*.google.com; Does it work?
Any updates on this?
@davidjgraph This is breaking google drive integration -> the part where you want to load the file from drive storage into drawio Saving the file into storage is not affected until you want to select any other directory that is not root
When trying to open a file from authorized storage a blocked iframe is shown:
When headers removed from there:
This is happening in a self-hosted environment where those CSP headers are injected to decouple from the cloud-hosted version https://github.com/jgraph/docker-drawio/blob/dev/main/docker-entrypoint.sh#L15
Hope this makes it to a new version
What are the exact, complete steps to reproduce the problem?
@davidjgraph you can use the following docker-compose to run setup locally + you'll need to create google app to get credentials
version: '3'
services:
image-export:
image: jgraph/export-server # export:latest
expose:
- "8000"
networks:
- drawionet
environment:
- DRAWIO_SERVER_URL=http://drawio:8080
drawio:
image: jgraph/drawio:18.1.1
links:
- image-export
networks:
- drawionet
ports:
- "80:8080"
- "443:8443"
environment:
- DRAWIO_SELF_CONTAINED="1" # PDF export function removed for self-hosted
- EXPORT_URL=http://image-export:8000/
- DRAWIO_BASE_URL=http://drawio
- DRAWIO_VIEWER_URL=http://drawio/js/viewer.min.js
- DRAWIO_GOOGLE_APP_ID=xxxxxxx
- DRAWIO_GOOGLE_CLIENT_ID=xxxxxxx
- DRAWIO_GOOGLE_CLIENT_SECRET=xxxxxxx
networks:
drawionet:
Steps:
Hi,
You can customize the CSP using the environment variable DRAWIO_CSP_HEADER Also, we'll add frame-src 'self' https://*.google.com; to the default CSP
@ashrafteleb you are right, that looks to be the temporary fix until it's added to default CSP.
On top of what you've mentioned, I've added 3 missing domains for frame-src for this to work properly
frame-src '\self\' https://*.google.com https://*.googleapis.com https://*.googleusercontent.com https://*.gstatic.com
My full CSP added as env variable DRAWIO_CSP_HEADER:
default-src '\self\'; script-src '\self\' https://storage.googleapis.com https://apis.google.com https://docs.google.com https://code.jquery.com \'unsafe-inline\'; connect-src '\self\' https://*.dropboxapi.com https://api.trello.com https://api.github.com https://raw.githubusercontent.com https://*.googleapis.com https://*.googleusercontent.com https://graph.microsoft.com https://*.1drv.com https://*.sharepoint.com https://gitlab.com https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com; img-src * data:; media-src * data:; font-src * about:; style-src '\self\' \'unsafe-inline\' https://fonts.googleapis.com; frame-src '\self\' https://*.google.com https://*.googleapis.com https://*.googleusercontent.com https://*.gstatic.com;
@millaguie try with this above, it works for me + removed unsafe-inline as it's not needed and better to avoid unless necessary
I'm don't see it's a bug that the CSP applies the most restrictive policy. The majority of users won't integrate with Google, so I'd think that should be a custom setting and documented.
While using Google Drive as the backend you have to ensure to allow CSP frame-src from google or it will fail to log in, due to CSP restrictions.
This allows that and fixes the issue